Vulnerability Scan - BEAST Attack

[myarmush]

A vulnerability scan was run against our Zimbra server and it showed that we were vulnerable to BEAST attack.

On other servers (Apache/OpenSSL) I am able to mitigate this by setting the cipher order. On Zimbra, I can set the cipher suite but I haven't found any documentation on how to set the order.

Can this be done? If not, how can BEAST be mitigated for Zimbra?

Regards,
Moe

[LMStone]

There is at least one other thread here in the forums which describes restricting the ciphers Zimbra accepts; to my recollection the thread is more than a year old and covers a previous version of Zimbra.

Hope that helps,
Mark

[phoenix]

There is at least one other thread here in the forums which describes restricting the ciphers Zimbra accepts; to my recollection the thread is more than a year old and covers a previous version of Zimbra.

There's even a wiki article on the subject.

[myarmush]

Thanks for the input guys.

I have already restricted the cipher suites that Zimbra accepts by using zmprov mcf +zimbraSSLExcludeCipherSuites xxxxx and I set the SSL/TLS settings in Postfix by following the Wiki article at Postfix PCI Compliance in ZCS - Zimbra :: Wiki.

In other technologies, e.g. Apache Http, I can set the order of the cipher suites without totally excluding them.
This effectively mitigates BEAST, i.e. an SSL scan from ssllabs.com shows that my web server is not vulnerable to BEAST.

My question is: can I set the "order" of the ciphers suites without restricting them entirely?

Regards,
Moe